The Cybersecurity and Infrastructure Security Agency (CISA) on June 3 added a critical 9.8 Mirasvit bug that has been actively exploited on Magento servers to its Known Exploited Vulnerabilities (KEV) catalog.CISA added the bug to the KEV after Sansec first reported the case in a May 26 blog post.The agency said the bug — CVE-2026-45247 — is a Mirasvit Full Page Cache Warmer for Extension flaw that, once exploited, could cause remote code execution (RCE).Federal security teams were advised by CISA to apply the patch by June 6.Security pros were concerned because an estimated 20% of U.S. retailers use Magento (now Adobe Commerce) to run their e-commerce operations. It’s estimated that there are between 200,000 and 250,000 Magento websites worldwide.Some security pros said given the nature of how organizations deploy Magento, it’s difficult to know how many orgs are affected.“My biggest concern with this vulnerability is that we still don’t know the true size of the exposed population,” said John Strand, principal at BHIS. “Initial estimates focused on a few thousand known systems, but many Magento deployments sit behind services like Cloudflare and other CDN providers, making them difficult to identify through internet-wide scanning. As a result, the number of potentially vulnerable systems could be significantly higher than what we’ve seen so far.”Shane Barney, chief information security officer at Keeper Security, explained that a CVSS 9.8 vulnerability that requires no authentication and fires on ordinary storefront traffic is about as serious as it gets, and CISA's three-day remediation window for federal agencies reflects this urgency.Barney said organizations running Mirasvit Cache Warmer on Magento or Adobe Commerce should treat patching to version 1.11.12 as an immediate priority, while commercial operators should apply the same standard to themselves.“The patching conversation is the obvious one, but it’s not the only important takeaway here,” said Barney. “Remote code execution on a production e-commerce server means an attacker has a foothold in an environment that typically holds payment credentials, API keys, database access and customer data. What happens next depends entirely on how well that environment is locked down. Organizations that enforce least-privilege access, rotate secrets regularly and maintain visibility over privileged sessions are far better positioned to contain the damage from a compromise like this.”Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that successful exploitation could let threat actors execute arbitrary code on vulnerable servers, which could lead to website compromise, customer data theft, payment card skimming, or malware deployment.“Because Magento powers so many e-commerce platforms, threat actors may see these environments as attractive targets because of the sensitive customer and payment data they process,” said Ursry. “A single compromised extension can also offer a foothold for threat actors to seek deeper access into connected business systems.”Ursry said organizations should quickly identify whether affected Mirasvit extensions are present in their Magento or Adobe Commerce environments and apply available patches. Security teams should then review logs, monitor for suspicious activity, and investigate for indicators of compromise that suggest exploitation. Ursry aid organizations should also validate that Magento systems are running supported versions, any unnecessary administrative access is restricted, and least privileges practices are implemented and enforced.Noelle Murata, chief operating officer at Xcape, Inc., said an unauthenticated RCE flaw in a major e-commerce extension demands an immediate pivot from standard, scheduled patching to emergency incident response. This active exploitation of the Mirasvit Full Page Cache Warmer extension introduces severe supply chain risk for the United States retailers running Adobe Commerce or Magento environments.Because the vulnerability lets attackers bypass storefront authentication by injecting malicious base64 encoded payloads into the CacheWarmer HTTP cookie, Murata said adversaries can execute arbitrary code and gain full administrative control without valid credentials.“This situation underscores the fact that third-party add-ons can completely undermine the security baseline of an otherwise secure core platform,” said Murata. “Security leaders must treat this as an emergent crisis, deploying immediate software upgrades while actively hunting for post-exploitation artifacts across their web server footprints.”
Vulnerability Management, Patch/Configuration Management
9.8 Mirasvit bug actively exploited on Magento servers
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds